As of a recent release (https://github.com/Mailu/Mailu/releases/tag/2.0.0), the mailu/clamav image is no longer available in DockerHub. It's moved to ghcr.io.

I tried just setting these in values.yaml as a workaround for the moment, but there are some additional changes needed to upgrade to 2.x.

image.repository: ghcr.io/mailu/clamav
image.tag: 2.0.4

https://mailu.io/2.0/releases.html#upgrading

There's currently no secure way of adding basic-auth endpoints in the alertmanager.servers.* configuration, the only way to provide those is plain-text and, although the password is encrypted in the logs, it's not really safe to commit in your git repositories.

I have a few proposals on how to tackle this

1️⃣ option

A potential workaround would be to define a list variable in the values file that could point to the Secret that holds the password for the desired Alertmanager endpoint, something like:

alertmanagerBasicAuthSecrets:
  - alertmanager-secret-instance01
  - alertmanager-secret-instance02
  - alertmanager-secret-instance03
  - ...

and then you leave it to the admin to create necessary secrets for storing the basic-auth password. For now, I think the password is only think needed to be stored in the secret. But still, would be better to avoid plain-text http(s)://username:[email protected] uri

2️⃣ option

Or the simple & lazy way would be to store the whole config in a Secret rather than in a ConfigMap, and there you can use something like the SealedSecret Operator to seal that and push it to git.

3️⃣ option

Splitting the configMap.rawConfig into smaller pieces and extracting the configMap.rawConfig.servers.* into its own variable and store only that as a Secret which can be prepended to the configMap.rawConfig

Hi,

Actually, we can choose service type, but we can't fix port number for NodePort.

Try to run the helm chart.. broker and coordinator failing

Setting druid.indexer.runner.type=httpRemote in /tmp/conf/druid/cluster/master/coordinator-overlord/runtime.properties
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/opt/druid/lib/guice-4.1.0.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2024-02-23T14:41:26,714 INFO [main] org.hibernate.validator.internal.util.Version - HV000001: Hibernate Validator 5.2.5.Final

Hi Guys,

I checked our cluster with popeye and we see some issues with this helm chart.

[POP-306] Container could be running as root user. Check SecurityContext/Image.
[POP-300] Using "default" ServiceAccount.
[POP-301] Connects to API Server? ServiceAccount token is mounted.
[POP-302] Pod could be running as root user. Check SecurityContext/Image.

I think it would be good to have the settings for
serviceAccount.automountServiceAccountToken and securityContext in place.

In the latest version of clamav chart (2.4.0), I am trying to use tolerations in the values file.

However, the deployment fails because the indentation is being rendered wrong. I am adding the following lines:

tolerations:
  - key: arch
    effect: "Equal"
    value: "arm64"
    effect: "NoSchedule"

I get the following error:

Error: YAML parse error on clamav/templates/statefulset.yaml: error converting YAML to JSON: yaml: line 54: did not find expected key
helm.go:84: [debug] error converting YAML to JSON: yaml: line 54: did not find expected key

A solution could be to rewrite the template as:

{{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}

Currently, not managed by elasticsearch-cluster chart.

Hi,

We are not able to set podLabels in the clamav helm chart. After a quick search this bug is due to the usage of indent function instead of nindent

You can see this here

To reproduce the bug:

values.yaml

podLabels:
  test: test

helm template wiremind/clamav -f values.yaml --debug

Error: YAML parse error on clamav/templates/statefulset.yaml: error converting YAML to JSON: yaml: line 23: mapping values are not allowed in this context
helm.go:84: [debug] error converting YAML to JSON: yaml: line 23: mapping values are not allowed in this context

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: release-name-clamav
  labels:
    app.kubernetes.io/name: clamav
    helm.sh/chart: clamav-2.4.1
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "1.9"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  serviceName: release-name-clamav
  selector:
    matchLabels:
      app.kubernetes.io/name: clamav
      app.kubernetes.io/instance: release-name
  template:
    metadata:
      labels:
        app.kubernetes.io/name: clamav
        app.kubernetes.io/instance: release-name
                test: test

https://github.com/istio/istio/blob/master/manifests/charts/base/crds/crd-all.gen.yaml

values.yaml has a typo for configFromSecretRef making it a bit hard to discover.

I'll venture a PR for the same.

As title suggests.

Hi there. This morning we noticed that:

  Normal   Pulling    33m (x4 over 35m)      kubelet            Pulling image "ghcr.io/prymitive/karma:v0.83"
  Warning  Failed     33m (x4 over 35m)      kubelet            Failed to pull image "ghcr.io/prymitive/karma:v0.83": rpc error: code = Unknown desc = manifest unknown
  Warning  Failed     33m (x4 over 35m)      kubelet            Error: ErrImagePull
  Normal   BackOff    5m15s (x130 over 35m)  kubelet            Back-off pulling image "ghcr.io/prymitive/karma:v0.83"
  Warning  Failed     22s (x151 over 35m)    kubelet            Error: ImagePullBackOff

Overwriting the tag with v0.82 works fine.
Is also worth mentioning that v0.83 worked until this morning.

Currently, a lot of things are hardcoded.

Hi there,

It is currently not possible to use both the freshclam and clamd configurations at the same time. If we just pass one of the custom configs, it works perfectly.

If both freshclam and clamd configs are passed, the helm template renderer will add two volumeMounts and volumes YAML keys, which is incorrect and one entry will be discarded by kubernetes.

Redacted deployment.yml:

{{- if .Values.freshclamConfig }}
          volumeMounts:
          - name: freshclam-config-volume
            mountPath: /etc/clamav/freshclam.conf
            subPath: freshclam.conf
{{- end }}
{{- if .Values.clamdConfig }}
          volumeMounts:
          - name: clamd-config-volume
            mountPath: /etc/clamav/clamd.conf
            subPath: clamd.conf
{{- end }}

{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.freshclamConfig }}
      volumes:
        - name: freshclam-config-volume
          configMap:
            name: {{ include "clamav.fullname" . }}-freshclam
{{- end }}
{{- if .Values.clamdConfig }}
      volumes:
        - name: clamd-config-volume
          configMap:
            name: {{ include "clamav.fullname" . }}-clamd
{{- end }}

How to reproduce:

$ helm template test --namespace test --values https://gist.githubusercontent.com/C123R/c0ae8a5e44205fcd965a9ab70150a7e6/raw/e32f27762afa415486c4e4abff10daef72fe7acc/values.yml  wiremind/clamav | grep volume

volumeMounts:
      - name: freshclam-config-volume
volumeMounts:
      - name: clamd-config-volume
volumes:
     - name: freshclam-config-volume
volumes:
     - name: clamd-config-volume

I tried to install a new version of clamAv on our kubernetes cluster via the helm upgrade --install command while a previous version was already installed and got the following error :

Error: UPGRADE FAILED: release clamav failed, and has been rolled back due to atomic being set: cannot patch "clamav" with kind StatefulSet: StatefulSet.apps "clamav" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', 'updateStrategy', 'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are forbidden helm.go:84: [debug] cannot patch "clamav" with kind StatefulSet: StatefulSet.apps "clamav" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', 'updateStrategy', 'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are forbidden

I believe the reason is that the labels in the volumeClaimTemplates of the StatefulSet contain the appVersion and the version of the helm chart. Those versions obviously change when the app or the chart get updated but volumeClaimTemplates in a StatefulSet are not allowed to be updated.
I looked at other StatefulSets that we use and they don't have versions in the labels or no labels at all.
This can of course be worked around by deleting the helm release and installing again but it would still be nice if it got fixed.

Currently we only test for latest cluster version 1.26+ so the goal here is just to add another test with cluster version 1.21

Most of the time, certificate authorities can be stored in ConfigMap as the certificate on itself is not a sensitive information.
In my setup, the company CA is synced in all the user namespaces, in a configmap resource. I'd like to use this configmap instead of having to create some specific secret for Karma.

See
https://github.com/wiremind/wiremind-helm-charts/blob/main/charts/karma/values.yaml#L178-L184
https://github.com/wiremind/wiremind-helm-charts/blob/main/charts/karma/templates/deployment.yaml#L131-L136

When activating the ingress with the karma chart, the following warning is displayed.

Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

Could it be possible to update the Ingress manifest to use the networking.k8s.io/v1 definition?

I was unable to deploy in on OpenShift 4.7 I had to create one manually and turned Ingress off.

Is your feature request related to a problem?

In case of installation of multiple helm chart to multiple environments when charts require definition of values on base environment properties I want to avoid creation multiple value files for each chart

karma:
  values.yaml
  values-env1.yaml
  values-env2.yaml
  values-env3.yaml

argocd:
  values.yaml
  values-env1.yaml
  values-env2.yaml
  values-env3.yaml

Instead of it I want that values.yaml in each chart will reference values from environment value file that will be used for multiple charts.

# values-shared-env1.yaml
global:
  dnsDomain: .my.env.domain

configMap:
   rawConfig:
     alertmanager:
       servers:
       - name: default
         uri: http://alertmanager:9093
         external_uri: "https://alertmanager{{.Values.global.dnsDomain}}"
  
ingress:
  hosts:
  - "karma{{ .Values.global.dnsDomain }}"

Related helm chart

karma

Describe the solution you'd like

Some values should be evaluated by "tpl" function

host: {{ tpl $host .  }}

Currently, the code is located here:

• https://github.com/wiremind/grafana-pdf-exporter

But the docker image is located here:

• https://hub.docker.com/r/francoisminaud/grafana-pdf-export

Move the image either on wiremind's dockerhub or directly in the github project:

• https://hub.docker.com/u/wiremind

Upgrade chartreuse version when this issue is resolved : wiremind/chartreuse#21

looks like its not possible to give auth details when connecting to elk/opensearch cluster.

This issue is not really related to this repository, but for the project.

The information showed to install clamav in https://artifacthub.io/packages/helm/wiremind/clamav?modal=install shows an invalid url (https://wiremind.github.com/wiremind-helm-charts). It should be .io instead of .com:

See wiremind/chartreuse#17

Im installing clamav on a EKS cluster version 1.24, the pod is up and running but when trying to access the ingress url i get the message "UNKNOWN COMMAND".

Nginx controller version 4.1 with NLB as a service

Hello,

I'm experiencing the issue "install: can't create directory '/run/clamav': Permission denied"
while using Clamav chart version 2.8.1 with the Clamav image "clamav/clamav:latest.
kubernetes version: 1.26

I would like to know the difference between the official ClamAV image (clamav/clamav) and the mailu/clamav image.

We would like to use your internal container refistry for caching.

Therefore we need Image Pull secrets support:

https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret

Example in Helm:
https://stackoverflow.com/questions/62901288/how-to-use-imagepullsecrets-in-helm-3#62901508

I have enabled the persistentVolume in my ClamAV configuration:

apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
  name: clamav
spec:
  releaseName: clamav
  targetNamespace: clamav
  chart:
    repository: https://wiremind.github.io/wiremind-helm-charts
    name: clamav
    version: 2.6.2
  values:
    image:
      repository: ghcr.io/mailu/clamav # Should be a mirror on our docker-registry
      tag: 1.9.50
    ## Clamav data dir persistence
    persistentVolume:
      enabled: true
      accessModes:
      - ReadWriteOnce
      size: 1Gi

The pv and pvc are created as expected however I'm getting the below error when the container is trying to start:

Tue Aug 29 07:44:56 2023 -> ERROR: Can't create freshclam.dat in /data
Tue Aug 29 07:44:56 2023 -> Hint: The database directory must be writable for UID 2000 or GID 2000
Tue Aug 29 07:44:56 2023 -> Hint: The database directory must be writable for UID 2000 or GID 2000

As a workaround I have created a pod associated to the pvc already created and changing the permission of the /data folder form root to 2000 (chown 2000:2000 /data). But I would like to know it there is any way to fix this issue without having to make the workaround.

I have tried different configurations with podSecurityContext and securityContext but unsuccessfully.

Thank you

It looks like there are duplicate key bugs in the Clair helm chart's output yaml which breaks Kustomize.

Here is my config:

https://github.com/HariSekhon/Kubernetes-configs/tree/master/clair/base

Quickly reproduce:

$ git clone https://github.com/HariSekhon/Kubernetes-configs k8s

$ cd k8s

$ cd clair/base

$ kustomize build --enable-helm

Error: map[string]interface {}(nil): yaml: unmarshal errors:
  line 18: mapping key "name" already defined at line 14
  line 23: mapping key "name" already defined at line 19

Hi there

I'm using the helm chart to install ClamAV and saw that the Mailu Image is still on the 0.105 version of clamav which is EOL - https://blog.clamav.net/2023/07/2023-08-16-releases.html

As ClamAV publishes images that are well maintained, I wonder if there are considerations moving to clamav/clamav images - I saw the TODO entry in the values.yaml ;)

It looks like there's also an ongoing discussion about the ClamAV upgrade on mailu Mailu/Mailu#2919
but I wonder if it's not just easier to try to switch to the official image directly.

Apparently the mailu image of clamav is no longer supported, see Mailu/Mailu#3160

We should have only our changed Chart that is tested, not all of them.

We have installed ClamAV in our environment, now we need to monitor its metrics.

Does ClamAV support metrics collection by default (any configuration change required) or is there any exporter which can help in fetching the metrics.

I am installing cerebro on openshift and I want to set securityContext to null and bind the deployment to default service account, serviceAccountName: default so that I can get random number from the allowed range. However this is not working as expected as it's still setting the default values originally defined
see
values.yaml:

securityContext: {}

Deployment:

spec:
  securityContext:
    runAsNonRoot: true
    runAsGroup: 1000
    runAsUser: 1000

I try to configure HPA with memory limits, but Chart is invalid due to values.schema.json
https://github.com/wiremind/wiremind-helm-charts/blob/main/charts/clamav/values.schema.json#L216

Both values are null and we have an error like :
Error: values don't meet the specifications of the schema(s) in the following chart(s): clamav: - hpa.memory: Invalid type. Expected: null, given: string

I deploy with argocd

Druid indexer hangs when injestion task starts.

In the logs of the druid broker i see such error log:

2024-04-26T16:03:13,898 ERROR [FilteredHttpServerInventoryView-3] org.apache.druid.server.coordination.ChangeRequestHttpSyncer - failed to get sync response from [http://druid-indexer-default-0:8100/_1714146848195]. Return code [0], Reason: [null]
org.jboss.netty.channel.ChannelException: Faulty channel in resource pool
at org.apache.druid.java.util.http.client.NettyHttpClient.go(NettyHttpClient.java:134) ~[druid-processing-26.0.0.jar:26.0.0]
at org.apache.druid.server.coordination.ChangeRequestHttpSyncer.sync(ChangeRequestHttpSyncer.java:218) ~[druid-server-26.0.0.jar:26.0.0]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: java.net.ConnectException: Connection refused: druid-indexer-default-0/10.43.63.44:8100
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) ~[?:?]
at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:777) ~[?:?]
at org.jboss.netty.channel.socket.nio.NioClientBoss.connect(NioClientBoss.java:152) ~[netty-3.10.6.Final.jar:?]
at org.jboss.netty.channel.socket.nio.NioClientBoss.processSelectedKeys(NioClientBoss.java:105) ~[netty-3.10.6.Final.jar:?]
at org.jboss.netty.channel.socket.nio.NioClientBoss.process(NioClientBoss.java:79) ~[netty-3.10.6.Final.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) ~[netty-3.10.6.Final.jar:?]
at org.jboss.netty.channel.socket.nio.NioClientBoss.run(NioClientBoss.java:42) ~[netty-3.10.6.Final.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) ~[netty-3.10.6.Final.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) ~[netty-3.10.6.Final.jar:?]
... 3 more

The strange is, there are two services exposed

Hello,

https://github.com/prymitive/karma
https://github.com/prymitive/karma/releases/tag/v0.116

Currently, securityContext in values.yaml is only available at the pod level.

Please provide containerSecurityContext (or any other appropriate name) in values.yaml to define security context at container level.

The Keycloak-Operator CRDs are out of date since April 29th.

Maybe the Keycloak-Operator itself as well?